A virtual private network (VPN) enables a computer to securely access resources located on a private network over a public network (e.g. Internet) connection. This is performed by establishing a VPN tunnel, which serves as an encrypted link between the external computer and the resources located behind the firewall on the private network. VPNs are often used to allow individual employees of a business or other organization to securely access the corporate intranet when the employees are located outside of the organization's physical premises. However, VPNs can also be implemented in a site-to-site configuration, where a VPN tunnel is established between gateway devices located in different physical locations (e.g. data centers) to create a single private network across both locations such that computers in each location can privately access the other location as though they were on the same local network by utilizing the gateway device located at their respective location.
One example of a setting where site-to-site VPN configurations are used is the remote desktop environment, such as those based on virtual desktop infrastructure (VDI) or Desktop-as-a-Service (DAAS). In such environments, a user is typically provisioned with a virtual desktop and allowed to access their virtual desktop over a remote network connection, such as an Internet connection. The virtual desktops are implemented as virtual machines hosted on servers that reside in a data center located remotely from the user, and each host server may execute multiple virtual machines. Users can utilize a client device with a virtual desktop client application installed thereon to remotely log into their individual virtual desktop and the application execution takes place on the remote host server which is linked to the client device over the network, using a remote display protocol such as VMware Blast, remote desktop protocol (RDP), PC-over-IP (PCoIP), virtual network computing (VNC), or the like. Using such a remote desktop protocol, the user can interact with applications of the virtual desktop, which are running on the remote host server, such that only the display (i.e. framebuffer pixel data), keyboard, and mouse information is communicated with the local client device. A common implementation of this approach is to host multiple desktop operating system instances as individual virtual machines (VMs) on a server hardware platform running a hypervisor that manages the VMs.
Often, the applications running on the user's desktop need VPN access in order to access private resources which are located in other data centers, which are located in different locations from the server that is hosting the user's desktop. For example, the user may need to access a corporate intranet page provided by the employer's web server, which is located behind a firewall in a different physical network from the virtual desktop. In order to access the page, the web browser may require VPN access and it is therefore important to set up a VPN connection for the web browser application. Moreover, it is usually good practice to enforce VPN access on a per-application basis, so that other applications are not permitted to access private resources that they should not have access to. In light of this, certain operating systems (e.g. Microsoft Windows 10) have introduced features which enable an application to automatically trigger VPNs, a feature which can be quite useful when an application requires a VPN connection to send data.
To enable per-application VPN (e.g. using such an OS feature), an administrator would normally need to manually setup the VPN on each desktop and then enable auto-triggering of the VPN and split tunneling for specific applications, a process which is at the very least cumbersome and in some cases not secure. Moreover, recent developments in virtual desktop technology have enabled the delivery of individual applications to the virtual desktop in nearly real time, such as upon user login. Such “real-time” application delivery utilizes desktop pools which are not dedicated and do not have specific applications pre-installed and pre-configured thereon. Instead, the applications are assigned to such desktops at the time of user login, allowing any desktop to be assigned to any user, while still enabling per-user configuration of applications. This allows better utilization of physical resources and reduction of overall costs, however, if the desktop pool is floating and the applications are delivered in real-time to vast number of desktops, the manual configuration of VPN in each desktop becomes impractical. Furthermore, any changes that are triggered in VPN entitlements, could lead to massive administrative efforts on all affected desktops. An improved approach to managing VPN access on a per-application basis is needed.